CN101647228A

CN101647228A - The system and method that is used for the certificate distribution

Info

Publication number: CN101647228A
Application number: CN200880010601A
Authority: CN
Inventors: M·本特施; P·布勒; T·艾里希; T·克兰普; T·D·威戈尔德
Original assignee: International Business Machines Corp
Current assignee: International Business Machines Corp
Priority date: 2007-04-05
Filing date: 2008-04-01
Publication date: 2010-02-10
Anticipated expiration: 2028-04-01
Also published as: WO2008122923A2; WO2008122923A3; US8214642B2; US20080250244A1; EP2143232B1; KR20100016579A; US20120233465A1; EP2143232A2; US9112680B2; CN101647228B

Abstract

The present invention relates to a kind of method that is used for set of certificates is distributed to from certificate issuance side certificate user, wherein certificate user has subscriber equipment, wherein, provide first channel and second channel to be used for communicating by letter between subscriber equipment and the certificate issuance side, the method comprising the steps of: distribute between subscriber equipment and certificate issuance side by second channel and share key, generation has predefine maximum deviation level with respect to even distribution, the binary representation of set of certificates, encrypt binary representation by sharing key to set of certificates, via first channel set of certificates of encrypting is distributed to subscriber equipment from certificate issuance side, subscriber equipment is decrypted the set of certificates of encrypting by sharing key.

Description

The system and method that is used for the certificate distribution

Technical field

The present invention relates to be used for one or more certificate is distributed to from certificate issuance side the method for certificate user.The invention still further relates to corresponding system, respective server, respective user equipment and corresponding computer program.

Background technology

Certificate can for example be a disposable authentication code (OTAC), for example Transaction Identification Number (TAN).In addition, certificate can for example be personal identification number (PIN), password, active coding or strong encryption keys material.

Popular disposable authentication code in the online transaction field, these authentication codes have scraping (scratch) tabulation that is situated between based on paper of transaction authentication number.Not only not really safe but also be not easy to obtain based on the scraping tabulation that paper is situated between.Usually, scraping tabulation via surface mail from serving the provider such as bank sends to the client.The scraping tabulation of mailing may on the way be intercepted and captured and is replicated.In addition, can not look to many clients will swipe the tabulation deposit in home, for example in the safety box.Especially true under the situation of frequent use scraping tabulation.The frequent scraping tabulation of using may disclose because of passing into silence, and for example forgets on the table.This provides the machine that obtains the scraping tabulation to other people.If the scraping tabulation is carried by the client, then it may be lost or be stolen.Usually, the OTAC in the scraping tabulation does not encrypt.Customer accounting code combines with OTAC usually and realizes transaction, and customer accounting code is widely regarded as disclosed.For many clients, which OTAC artificial tracking has used is inconvenient.When moving to another scraping tabulation when tabulating from a scraping, the client need temporarily deposit or carry two scraping tabulations.This improves security risk.In addition, sign and issue and serve the provider to print and post the scraping tabulation that is situated between based on paper in mode timely rather complicated.

WO98/37524 describes a kind of method of commerce that uses mobile device.This method uses international debit user ID (IDUI) number to identify individual account.IDUI is similar to the customer bank number of the account.Particularly, IDUI is pre-loaded on debit/credit card.In operation, point of sale (POS) terminal reads IDUI from debit card/credit card, and demonstration will be from the number of sign account deduction.The client finishes transaction by the affirmation button of pressing the POS terminal.The POS terminal sends to receipts of transactions the server in the bank that is responsible for account.WO98/37524 proposes IDUI is pre-stored on Subscriber Identity Module (SIM) smart card that for example uses in the gsm mobile telephone network, rather than on magnetic stripe or the memory card.Terminal reads IDUI in contactless mode from smart card then.By SMS message receipts of transactions being sent to server verifies.This scheme is only discussed IDUI is used for carrying out transaction verification via the transaction and the exchange SMS message of contactless interface and POS terminal.This scheme also is not suitable for the OTAC delivery.This is to fix because of IDUI for each account.Yet OTAC is really not so.Similar electronic fare payment system is described in EP1 176 844, WO99/16029, WO00/495585, WO01/09851, WO02/21464 and WO01/93528.

EP 1559256 B1 describe a kind of method that a set of access codes is offered subscriber equipment.According to this method, strong symmetric key is used for encryption to access code as data encryption standard (DES) key of 16 bytes.

One object of the present invention is to be provided for other solution of certificate distribution.

Another purpose of the present invention is to be provided for from certificate issuance side the solution of the certificate initial distribution of certificate user.

Another purpose of the present invention is to be provided for distributing the solution of the certificate that extensively is suitable for.

Another purpose of the present invention is to be provided for the solution certificate distribution, that extensively be suitable for.

Summary of the invention

The present invention relates to method, system, server, subscriber equipment and computer program as in independent claims, limiting.

According to a first aspect of the invention, a kind of method that is used for set of certificates is distributed to from certificate issuance side certificate user is provided, wherein certificate user has subscriber equipment, wherein provides first channel and second channel to be used for communicating by letter between subscriber equipment and the certificate issuance side, and the method comprising the steps of:

-between subscriber equipment and certificate issuance side, distribute shared key by second channel,

The binary representation that-generation has the set of certificates of predefine maximum deviation level with respect to even distribution,

-come the binary representation of encrypted certificate set by shared key,

-via first channel set of certificates of encrypting is distributed to subscriber equipment from certificate issuance side,

-subscriber equipment is decrypted the set of certificates of encrypting by sharing key.

By with respect to equally distributed predefine maximum deviation level, it is redundant how many binary representations that can limit set of certificates can comprise.In other words, by with respect to equally distributed predefine maximum deviation level, how many structures binary representation that can the limiting set certificate can comprise.In addition, by with respect to equally distributed predefine maximum deviation level, can limit or specify the binary representation of set of certificates to have 0 and 1 distribution, the uniformity of the security requirement of itself and respective application or system be fully approaching.Be provided with respect to equally distributed predefine maximum deviation level in the binary representation of set of certificates, this has strengthened the distribution security of set of certificates.The binary representation of set of certificates can have with respect to the maximum deviation level that is evenly distributed, but also can have equally distributed relatively than the low deviation level.Low more with respect to equally distributed maximum deviation level, the binary representation of set of certificates and 0 and 1 even distribution are approaching more, the included structure of set of certificates more less and redundancy few more, and set of certificates does not allow to be subject to the influence of powerful key search attack more.In other words, the attacker can't depend on structural information and comes voluntarily to determine whether set of certificates correctly deciphers by souning out key.

Setting is with respect to equally distributed predefine maximum deviation level, and this is limited to the unknown unreliable or undetermined variable relevant with fail safe under other modes.This allows according to other variable relevant with fail safe that the certificate dissemination system is set with respect to equally distributed this predefine maximum deviation level.This same more flexible design that allows the certificate dissemination system.Preferably, certificate issuance side will be provided with, determine or select with respect to equally distributed predefine maximum deviation level according to should be used for separately.

Especially, allow to reduce to share the key length of key with respect to equally distributed predefine maximum deviation level for the binary representation setting.

According to one embodiment of present invention, be zero or approaching zero with respect to equally distributed maximum deviation level.In other words, the binary representation of set of certificates distributes equably or distributes near even.

According to one embodiment of present invention, can test by one group of randomness with respect to equally distributed predefine maximum deviation level and to limit or determine, these tests comprise its configuration separately, binary representations approval of the set of certificates that these configurations will generate for fully at random, be to distribute full and uniformly.

According to one embodiment of present invention, correspondingly determine the percentage of following test key or limit that these test keys may be owing to sound out deciphering and obtain this fact of invalid certificates set (promptly obtain seem unlike the valid certificate set decrypt) and got rid of by heavy attack by this percentage with respect to equally distributed predefine maximum deviation level.

According to one embodiment of present invention, be provided with as follows, even the level at random of the binary representation of set of certificates is greater than zero with respect to equally distributed predefine maximum deviation level.

According to one embodiment of present invention, will be defined as the predefine least random level of the binary representation of set of certificates with respect to equally distributed predefine maximum deviation level.

According to an embodiment of first aspect present invention, this method also comprises step: the certificate of deciphering is offered certificate issuance side from certificate user verify, wherein provide certificate issuance side to sound out for the checking that only allows the predefine number of times.

It is few more that number of times is soundd out in predefined checking, and the attacker may find before certificate issuance side stops using proper account that the possibility of shared key is just more little.Because the binary representation of certificate comprises with respect to equally distributed predefine maximum deviation level, so by means of utilizing the export structure of souning out the sample of sharing secret key decryption, the attacker can't get rid of shared key or only can get rid of number shared key seldom.In other words, whether whether the attacker need the checking of the authentication certificate side of signing and issuing to feed back to verify selected exploration to share key to mate or can be excluded.

According to an embodiment of first aspect present invention, the binary representation of set of certificates depends on predefine lsafety level, the key length of sharing key and predefined checking exploration number of times with respect to equally distributed predefine maximum deviation level.

According to this embodiment of first aspect present invention, select or determine or be provided with respect to equally distributed predefine maximum deviation level according to three different parameters.The predefine lsafety level is suitable for as first parameter.This predefine lsafety level can be provided with or selection by certificate issuance side, and can be limited by powerful key search attack probability of successful.Preferably, certificate issuance side will be provided with or definite predefine lsafety level according to the demand of using with its client.

Second parameter of determining or influencing with respect to equally distributed predefine maximum deviation level is to share the key length of key.Shared key is long more, and key space is big more, and it is many more to carry out the exploration key that the attacker of powerful key search attack need therefrom select.

The 3rd parameter of determining or influencing with respect to equally distributed predefine maximum deviation level is that number of times is soundd out in predefined checking.It is more little that number of times is soundd out in predefined checking, and powerful key search attack possibility of success is more little.

All these three parameters alternatively influence or determine with respect to equally distributed predefine maximum deviation level.

According to an embodiment of first aspect present invention, shared key is a weak key.

With weak key be interpreted as with respect to powerful key search attack (promptly to key space strong search) weak encryption key.Powerful key search attack like this can be based on the binary representation of set of certificates, and this binary representation comprises in order to debug sounds out the right of the sufficient redundancy of key or structure level.Powerful key search attack like this can be undertaken by the middle attack side that the message that comprises set of certificates is intercepted and captured.The attacker can attempt distinguishing by the structure of analyzing gained output the sample of deciphering.In other words, the attacker knows that the plaintext message that comprises set of certificates has a certain structure or character distributes.Can get rid of do not produce this known structure or character distribute and produce 0 and 1 evenly or near equally distributed mistake conjecture to weak key.

Powerful key search attack like this depends on the length of used key, the strick precaution continuity that exists antagonism to attack.In other words, weak key is the key with little keys sizes or short key length according to an embodiment of the invention.Usually, infeasible if heavy attack implements on calculating, then key is considered as weak key.

Generally speaking, along with the technical development of computing capability, the key length that is regarded as the key of strong encryption key will become more and more longer, and correspondingly, the key length that is regarded as the key of weak key also will become more and more longer.

At present for many application, with the strong encryption key be considered as having at least 112 key, 2 key-triple des (data encryption standard) key for example.Thereby, weak key according to an embodiment of the invention is interpreted as to have be less than 112 key.

Advanced Encryption Standard (AES) is used minimum 128 key scale at present.Thereby, weak key according to another embodiment of the present invention is interpreted as to have be less than 128 key.

U.S. government is used for top-secret data with 192 or 256 AES key.Thereby, weak key according to another embodiment of the present invention is interpreted as to have be less than 192 or 256 key.

Weak key is used for that set of certificates is encrypted the advantage that has is, it has promoted the user input of some software during being provided with on the subscriber equipment or customizing.This is useful especially for the limited subscriber equipment (as mobile phone) of keypad or display.

According to one embodiment of present invention, shared key comprises 10 or be less than 10.According to another embodiment of the present invention, shared key comprises 50 or be less than 50.According to another embodiment of the present invention, shared key comprises 100 or be less than 100.Can sound out number of times with respect to equally distributed predefine maximum deviation level, predefine lsafety level and predefine checking according to the binary representation of set of certificates, select corresponding key length.By be the binary representation setting of set of certificates with respect to equally distributed predefine maximum deviation level, help to use such weak point to share key.

According to an embodiment of first aspect present invention, second channel comprises the human user interface.The human user interface can be provided on subscriber equipment.The advantage that provides the human user interface to have in second channel is that this method can be suitable for widely, because the human user interface is the part of most electronic equipments.

According to an embodiment of first aspect present invention, this method also comprises step:

-subscriber equipment generates and shows shares key,

Key is shared in the manual entry on another equipment of-certificate user,

-will share key to be sent to certificate issuance side from described another equipment.

In this embodiment, share key and generate, be distributed to then certificate issuance side by subscriber equipment.This has given the certificate user enhanced flexibility, and allows him spontaneously to start shared key distribution.Especially, another equipment can be computer.

-certificate issuance side generates shares key,

-will share key to be sent to another equipment from certificate issuance side,

-described another equipment shows shares key,

Key is shared in-user manual entry on subscriber equipment.

In this embodiment, share key was generated, is distributed to then certificate user by certificate issuance side subscriber equipment.This has given the certificate user enhanced flexibility.Especially, another equipment can be computer.

According to an embodiment of first aspect present invention, certificate comprises the certificate symbol of predefine number, and the certificate symbol is the element of certificate character list.

As example, certificate can be by for example 6 Transaction Identification Numbers (TAN) that decimal number constitutes.In this example, decimal number 0-9 is a certificate symbol of setting up the certificate character list.

According to an embodiment of first aspect present invention, the scale of certificate character list is chosen as 2 power.

The advantage of doing like this is, can implement the binary representation of certificate symbol under without any the situation of redundancy or structure.In other words, each certificate symbol is corresponding to concrete binary representation.Selected binary coding scheme does not comprise not corresponding with valid certificate binary representation.

As example, the certificate character list can be set up by 16 hexadecimal number 0-9 and A-F.The binary system (binary) that converts each hexadecimal number in these hexadecimal numbers to 4 is represented.These 4 have 2^4=16 binary combination, and each combination is corresponding to a hexadecimal number.

According to an embodiment of first aspect present invention, this method also comprises the step of noise symbol being added to set of certificates.

Noise symbol is a symbol of not representing valid certificate.The advantage of adding noise symbol is that the attacker who carries out heavy attack can not get rid of the binary representation of not corresponding valid certificate symbol simply.

According to an embodiment of first aspect present invention, noise symbol is taken from the noise character list that is made of certificate symbol and one or more noise symbol, and wherein the scale of noise character list is chosen as 2 power.

As example, the certificate symbol can be represented by hexadecimal decimal number numeral 0-9, and noise symbol is represented by character A-F.According to this symbolic representation, comprise that the whole hexadecimal character table of certificate symbol 0-9 and noise symbol A-F is set up the noise character list.

The use scale is that the advantage that the noise character list of 2 power has is, can implement the binary representation of noise character list under without any the situation of redundancy or structure.In other words, each certificate symbol and each noise symbol be corresponding to concrete binary representation, and selected binary coding scheme does not comprise not and noise symbol or the corresponding binary representation of certificate symbol.

-generation comprises the set of certificates of the certificate symbol of predefine number,

-generating the random message that constitutes by the puppet that is taken from the noise character list (dummy) certificate symbol and noise symbol, the number of wherein pseudo-certificate symbol is greater than or equal to the predefine number of the certificate symbol of set of certificates,

The predefine set of the pseudo-certificate symbol of certificate symbolic substitution of-certificate of utility set in random message,

-generate the binary representation of random message, set up the binary representation that has the set of certificates of predefine maximum deviation level with respect to even distribution thus.

The advantage that this embodiment of the present invention has is that the generation of set of certificates is carried out in the generation that can be independent of binary representation.This allows by generating set of certificates with the unit of carrying out the binary representation generation or the unit or the entity of entity separation.This allows to Generate Certificate set in safety and enclosed environment, and the algorithm of carrying out the set of certificates generation is maintained secrecy.

As example, first processing unit can be carried out the generation of set of certificates.This first processing unit can be arranged in the high place of safety of certificate issuance side.First processing unit sends this set of certificates or is forwarded to second processing unit, and it is the binary representation that has the set of certificates of predefine maximum deviation level with respect to even distribution in order to generate that this second processing unit is provided.

According to an embodiment of first aspect present invention, generate the binary system that has the set of certificates of predefine maximum deviation level with respect to even distribution, expression comprises substep:

-generation has first first expression of the set of certificates of level at random,

-first expression be transformed into have second second expression of the set of certificates of level at random, wherein second at random level be higher than first level at random,

-second expression of set of certificates is transformed into the binary representation that has predefine maximum deviation level with respect to being evenly distributed.

According to this embodiment of the present invention, by three steps Generate Certificate the set binary representation.In first step, generation has first first expression of level at random.First at random level corresponding to respect to equally distributed first variance level.In follow-up second step, this first expression is transformed into second expression that comprises higher level at random.Second at random level corresponding to respect to equally distributed second variance level.Be lower than with respect to equally distributed first variance level with respect to equally distributed second variance level.In other words, in second step, remove structure or redundancy from first expression.In third step, second expression is transformed into the binary representation that has predefine maximum deviation level with respect to even distribution.With respect to equally distributed maximum deviation level corresponding to the least random level.

Preferably, first expression and second expression are non-binary representations.By third step, these nonbinaries can be represented to convert to binary representation.

An embodiment according to first aspect present invention, set of certificates is divided into the unit that is used for Binary Conversion, wherein select to be used for the unit of Binary Conversion as follows, that is, the ratio of binary representation of not representing the certificate symbol is less than the predefine ratio.

By heavy attack, the attacker only can get rid of the exploration deciphering of not representing the valid certificate symbol.Therefore, the ratio that limits this type of expression has reduced and has been subjected to the heavy attack effect.As example, the predefine ratio can be arranged to 1%, this means the selected unit that is used for Binary Conversion binary representation 1% do not represent the valid certificate symbol at the most.Other example embodiment of the present invention can for example be used predefine ratio value 0.01%, 0.0001% or 5%.

According to an embodiment of first aspect present invention, set of certificates is divided into the unit that is used for Binary Conversion that comprises two or more certificate symbols separately.

Use comprises that the unit that is used for Binary Conversion of two or more certificate symbols has improved flexibility and increased the possible number of unit.This makes more has an opportunity to select not introduce redundancy or introduce good or optimum unit that is seldom redundant, that be used for Binary Conversion.If set of certificates is TAN tabulation, then for example 3 or 6 decimal numbers can be set up the unit that is used for Binary Conversion.

According to an embodiment of first aspect present invention, first channel is non-trust channel, and second channel is trusted channel.

Non-trust channel is interpreted as certificate user/or mistrustful channel in certificate issuance side.Non-trust channel is subject to the influence of middle attack side.The channel that channel is interpreted as that certificate user and certificate issuance side trust will be trusted.

According to an embodiment of first aspect present invention, certificate is disposable authentication code.This kind disposable authentication code can for example be the TAN that is used for online bank transaction.

According to an embodiment of first aspect present invention, first channel is a radio communication channel, and second channel comprises one of safe internet connection, telephone wire and mail service.

This type of channel spreads all over extensive and allows being extensive use of of this method.

According to an embodiment of first aspect present invention, subscriber equipment comprises one of mobile phone and personal digital assistant.

This kind equipment spreads all over extensive and allows being extensive use of of this method.

According to one embodiment of present invention, subscriber equipment is a trusted device.Trusted device is interpreted as the equipment that certificate user is trusted.Preferably, trusted device is had by certificate user and/or controls.Preferably, certificate issuance side also trusts trusted device.

According to one embodiment of present invention, will have equally distributed binary representation and be defined as wherein binary value 1 and the equal distribution of 0 probability.

According to a second aspect of the invention, a kind of method that is used for set of certificates is distributed to from certificate issuance side certificate user is provided, wherein certificate user has subscriber equipment, wherein provide first channel and second channel to be used for communicating by letter between subscriber equipment and the certificate issuance side, wherein this method comprises step in certificate server:

-generate and share key and will share key distribution to subscriber equipment, perhaps receive from subscriber equipment and share key via second channel,

-come the binary representation of encrypted certificate set by shared key,

-via first channel set of certificates of encrypting is distributed to subscriber equipment.

Of the present invention this relates to the method step of being carried out by certificate server on the one hand.

According to a third aspect of the invention we, provide a kind of calculation procedure that comprises instruction, these instructions are used for when described computer program is carried out realizing the step according to the method for second aspect present invention on computer system.

Computer system can be set up by certificate server.

According to a forth aspect of the invention, a kind of method that is used for subscriber equipment from the set of certificate server acceptance certificate is provided, wherein provide first channel and second channel to be used for communicating by letter between subscriber equipment and the certificate server, wherein this method comprises step in subscriber equipment:

-generate and share key and will share key distribution to certificate server, perhaps receive from certificate server and share key via second channel,

-receive the binary representation that has the set of certificates of predefine maximum deviation level with respect to even distribution, wherein come the binary representation of encrypted certificate set by shared key,

-by sharing key the set of certificates of encrypting is decrypted,

The set of certificates of-store decrypted.

Of the present invention this relates to the method step of being carried out by subscriber equipment on the one hand.

According to a fifth aspect of the invention, provide a kind of calculation procedure that comprises instruction, these instructions are used for when described computer program is carried out realizing the step according to the method for fourth aspect present invention on computer system.

Computer system can be set up by subscriber equipment.

According to a sixth aspect of the invention, provide a kind of being used for via non-trust channel set of certificates to be sent to the method for certificate user safely from certificate issuance side, the method comprising the steps of:

The binary representation that-generation has predefine maximum deviation level with respect to even distribution to set of certificates,

-come the binary representation of encrypted certificate set by shared key,

-via non-trust channel the set of certificates of encrypting is sent to certificate user from certificate issuance side.

Of the present invention this relates to a kind of method that is used for via non-trust channel set of certificates being sent to safely from certificate issuance side certificate user on the one hand.To the distribution of sharing key is not this subject content on the one hand of the present invention.Suppose: certificate issuance side and certificate user have shared key.

According to a seventh aspect of the invention, provide a kind of calculation procedure that comprises instruction, these instructions are used for when described computer program is carried out realizing the step according to the method for sixth aspect present invention on computer system.

Computer system can be set up by the certificate server of certificate issuance side.

According to a further aspect in the invention, a kind of system that is used for set of certificates is distributed to from certificate issuance side certificate user is provided, wherein certificate user has subscriber equipment, wherein provide first channel and second channel to be used for communicating by letter between subscriber equipment and the certificate issuance side, provide this system to be used for:

-come the binary representation of encrypted certificate set by shared key,

According to a further aspect in the invention, a kind of certificate server that is used for set of certificates is distributed to certificate user is provided, wherein certificate user has subscriber equipment, wherein provide first channel and second channel to be used for communicating by letter between subscriber equipment and the certificate server, provide this certificate server to be used for:

-generation is shared key and will be shared key distribution and give subscriber equipment or receive shared key via second channel from subscriber equipment,

-generate with respect to the binary representation that is evenly distributed with predefine maximum deviation level set of certificates,

-come the binary representation of encrypted certificate set by shared key,

-via first channel set of certificates of encrypting is distributed to subscriber equipment from certificate issuance side.

According to a further aspect in the invention, provide a kind of subscriber equipment that is provided for from certificate server acceptance certificate set, wherein provide first channel and second channel, provide this subscriber equipment to be used for to be used for communicating by letter between subscriber equipment and the certificate server:

-receive the binary representation that has the set of certificates of predefine maximum deviation level with respect to even distribution, wherein the binary representation of set of certificates is encrypted by shared key,

-by sharing key the set of certificates of encrypting is decrypted,

The set of certificates of-store decrypted.

Can carry out the step of different aspect of the present invention according to different order.In addition, also can combination step, that is, for example with two or more multistep carry out together suddenly.

Any apparatus characteristic can be applied to method of the present invention aspect, and vice versa.The advantage of apparatus characteristic is applicable to the corresponding method feature, and vice versa.

Description of drawings

Hereinafter only the preferred embodiments of the present invention are described by example with reference to following schematic diagram.

Accompanying drawing be only provide for illustrative purposes and may not represent actual example of the present invention in proportion.In each figure, same numeral is used for representing identical or similar part.

Fig. 1 is the block diagram of system according to an embodiment of the invention;

Fig. 2 is the block diagram of the smart card of this system;

Fig. 3 is the block diagram of the subscriber equipment of this system;

Fig. 4 is the block diagram of the server computer system of this system;

Fig. 5 is the block diagram of another system according to an embodiment of the invention;

Fig. 6 is the flow chart that is associated with smart card;

Fig. 7 is the block diagram of smart card memory;

Fig. 8 is the flow chart that is associated with server computer system;

Fig. 9 is another flow chart that is associated with smart card;

Figure 10 is another block diagram of smart card memory;

Figure 11 is the another flow chart that is associated with smart card;

Figure 12 is another flow chart that is associated with server computer system;

Figure 13 is the another flow chart that is associated with server computer system;

Figure 14 is the another flow chart that is associated with server computer system.

Embodiment

Fig. 1 shows system 100 according to an embodiment of the invention.System 100 comprises subscriber equipment 110.In this example embodiment of the present invention, subscriber equipment 110 is mobile phones.Other example of subscriber equipment 110 comprises PDA(Personal Digital Assistant), wired or cordless telephone or any other subscriber equipment.Subscriber equipment 110 comprises smart card 115.

System 100 comprises server computer system 120, and it distributes to certificate issuance side 130 as server.Certificate issuance side 130 can for example provide bank, insurance company, on-line shop or the service entities of service.The set 140 of certificate issuance side 130 to be used for grant a certificate 145 is provided, and especially, is the set of disposable certificate.Certificate 145 can as the service of the access certificate side of signing and issuing 130 for example or with the checking of concluding the business or the authentication means of certificate issuance side 130.Certificate issuance side 130 can comprise a plurality of server computer systems 120, for example, is used to generate with first server computer system of distributing certificates and is used for the second server computer system of authentication certificate.In this example embodiment of the present invention, suppose: a server computer system that illustrates 120 is carried out generation, distribution and the checking of certificate 145.According to one embodiment of present invention, the set 140 of certificate 145 is Transaction Identification Number (TAN) tabulations.Each TAN of TAN tabulation represents certificate 145, and the set 140 of TAN tabulation expression certificate 145.

Set up first channel 150, to be used for communicating by letter between subscriber equipment 110 and the server computer system 120.First channel 150 comprises communication network infrastructures 155.Communication network infrastructures 155 can be a wireless access network, for example the mobile telephone network of GSM network and so on.

Set up second channel 160, to be used for communicating by letter between subscriber equipment 110 and the server computer system 120.The second channel 160 of this embodiment comprises client computer system 170 according to the present invention, and it is as the another equipment that can be connected to server computer system 120.Client computer system 170 comprises display 176, computer 177 and as the keyboard 175 of human user interface.According to other embodiments of the invention, this another equipment can be PDA(Personal Digital Assistant), wired or cordless telephone or mobile phone.Client computer system 170 can be communicated by letter with server computer system 120 by communication network infrastructures 180.Especially, communication network infrastructures 180 can be the internet.Especially, communication network infrastructures 180 can be safety or be trusted that the internet connects, for example SSL connects.According to other embodiments of the invention, communication network infrastructures 180 can comprise Radio Access Network (for example mobile telephone network) or wired telephone network.

Subscriber equipment 110 and client computer system 170 are assigned to certificate user 190.Certificate user 190 can be to want to use certificate 145 to conclude the business or the individual or the entity of the service of the access certificate side of signing and issuing 130.

Provide the human user of certificate user 190 mutual, to be used for communicating by letter between client computer system 170 and the subscriber equipment 110.This human user is the part of second channel 160 alternately.According to the embodiment of Fig. 1, the form that second channel 160 has subscriber equipment 110 is the human user interface of keypad 340.In addition, subscriber equipment 110 comprises display 330.

For information is sent to subscriber equipment 110 from client computer system 170, can on the display 176 of client computer system 170, show corresponding information.Display message on the certificate user 190 reading displayed devices 176, and by keypad 340 information is entered in the subscriber equipment 110.For information is sent to client computer system 170 from subscriber equipment 110, can on the display 330 of subscriber equipment 110, show corresponding information.Display message on the certificate user 190 reading displayed devices 330, and by keypad 175 information is entered in the client computer system 170.

Provide system 100 130 to be distributed to certificate user 190 from certificate issuance side to be used for set 140 with certificate 145.Provide second channel 160 to be used for the shared key K of distribution between subscriber equipment 110 and certificate issuance side 130.Especially, shared key K is a weak key.Provide initial setting up to this certificate distribution that is distributed as between certificate user 190 and the certificate issuance side 130 of sharing key K.

According to one embodiment of present invention, share server computer system 120 generations of key K by certificate issuance side 130.Then, share key K and send to client computer system 170 from server computer system 120 via communication network infrastructures 180.Then, shared key is shown on the display 176 of client computer system 170, read by certificate user 190, and by certificate user 190 via keypad 340 manual entries in subscriber equipment 110.Because shared key K can be weak key and therefore be short key, so can assist its typing by keypad 340.

According to another embodiment of the present invention, sharing key K is generated by subscriber equipment 110.Then, shared key K is shown on the display 330 of subscriber equipment 110, read by certificate user 190, and by certificate user 190 by keyboard 175 manual entries in client computer system 170.Then, share key K and send to server computer system 120 from client computer system 170 via communication network infrastructures 180.

Owing to shared key K can be weak key and therefore be short key, thus can on display 330, read it expediently, and assist its typing by keyboard 175.

As the result of above-mentioned two embodiment, certificate issuance side 130 and certificate user 190 have shared key K, and can will should share the information (certificate of exchange encrypt especially) that key K is used for coming via first channel 150 exchange encrypt.

Provide server computer system 120 to be used to generate the binary representation that has set 140 predefine maximum deviation level, certificate 145 with respect to even distribution.Provide server computer system 120 also to be used for encrypting this binary representation that has predefine maximum deviation level with respect to even distribution by shared key K.Then, the encryption of certificate 145 set 140 sends to subscriber equipment 110 via first channel 150 from server computer system 120.In subscriber equipment 110, the encryption of certificate 145 set 140 is deciphered by shared key K, and be stored in the subscriber equipment 110, (being stored in the smart card 115 especially).

Fig. 2 shows the smart card 115 of subscriber equipment 110 comparatively particularly.

Smart card 115 comprises memory 200, CPU (CPU) 210, crypto engine 220 and I/O (I/O) subsystem 230 that all interconnects via bus sub 240.Storage can be by the computer program code of CPU 210 execution in memory 200.Computer program code comprises that form is the operating system 250 and the kit 260 of Java compatible operations platform.Kit 260 is set up the application software that form is Java small routine (Applet).Memory 200 also helps in case the mode of distorting is come the set 140 of Store Credentials 145.The set 140 of certificate 145 also is expressed as SC.Operating system 250 configuration CPU 210 are to carry out kit 260.Kit 260 helps to handle the certificate 145 in the set of certificates 140.To the function aspects of descriptive tool bag 260 particularly subsequently.Crypto engine 220 comprises the cryptographic processing logic, and it is used for encryption and decryption will be from smart card 115 transmissions and the data that received by smart card 115.Can implement the cryptographic processing logic with hardware, software or combination hardware and software.

Fig. 3 shows subscriber equipment 110 comparatively particularly.Subscriber equipment 110 comprises RF level 300, control logic 320, visual display unit 330 and the keypad 340 with radio frequency (RF) antenna 310 that is all interconnected by bus sub 350.Smart card 115 removably is inserted in the subscriber equipment 110, and the I/O subsystem 230 of smart card 115 is releasably connected to the bus sub 350 of subscriber equipment 110.In operation, RF level 300 and RF antenna 310 promotes subscriber equipmenies 110 and is connected to radio communication between the miscellaneous equipment of first channel 150.Visual display unit 330 provides graphic user interface between user and subscriber equipment 110, with the function that is used for for example preparing message He read message and so on.Keypad 340 provides Keyboard Control to subscriber equipment 110 for the user, to be used for the function such as data typing and call treatment.Control logic 320 is based on the function of for example controlling subscriber equipment 110 from the input of keypad 340 receptions, for example call treatment.The output of subscriber equipment 110 is also by control logic 320 control, and for example the data on visual display unit 330 show or via the calling that spreads out of of RF level 330.Similarly, control logic 320 coordinate via bus sub 350, transmit from the data of other unit of smart card 115 and subscriber equipment 110.Can implement control logic 320 with the combination of the CPU of the CPU of specialized hardware, programming or specialized hardware and programming.

Fig. 4 shows server computer system 120 comparatively particularly.Server computer system 120 comprises memory 400, CPU 410 and the I/O subsystem 420 that is all interconnected by bus sub 430.Storage can be by the computer program code of CPU 410 execution in memory 400.Computer program code comprises operating system 440 and cert services application software (CSAS) 450.Operating system 440 configuration CPU 410 are to carry out cert services application software 450.Cert services application software 450 promotes to handle the set 140 of certificate 145.Subsequently the function aspects of cert services application software 450 will be described particularly.

In operation, between subscriber equipment 110 and service computer system 120, set up first channel 150.First channel 150 promotes the cert services application software 450 of set 140 from server computer system 120 with certificate 145 to be sent to the smart card 115 in the subscriber equipment 110.During being user's configurable smart card 115, kit 260 can be loaded in the memory 200 of subscriber equipment 110.Alternatively, kit can be loaded in the memory 200 via first channel 150, and is dynamically refreshed.Visit to the kit in the memory 200 260 is protected via the PIN that subscriber equipment 110 is provided with by certificate user 190.Keypad 340 can be used for this purpose.Alternatively, if subscriber equipment 110 has speech recognition, then can oral setting and replacement PIN.Miscellaneous equipment can be supported even more data typing means.

Fig. 5 shows system 500 according to another embodiment of the present invention.First channel 150 of system 500 is according to implementing with reference identical mode shown in Figure 1.Therefore the unit that identical label is used for first channel 150.Second channel 520 is implemented according to the mode of the second channel 160 that is different from Fig. 1.Second channel 520 comprises paper Jie mailing system.Can for example provide paper Jie mail via traditional mail system.Paper Jie mail comprises the shared key K with distribution between certificate issuance side 130 and certificate user 190.Shared key K is generated by certificate issuance side 130 or server computer system 120 respectively.It sends to certificate user 190 by paper Jie mail then.Provide certificate user 190 to be used for opening paper Jie mail, to read and share key K and will share the key K manual entry to subscriber equipment 110 by keypad 340.

Hereinafter comparatively specifically describe and be used for the initial generation of sharing key K and distribution and the flow chart that activates the kit 260 of smart card 115 with reference to Fig. 6.The flow chart of Fig. 6 is based on the system of describing with reference to Fig. 1 as mentioned 100.

In step 610, server computer system 120 generates shares key K and certificate user identification code ID.Provide the certificate user identification code ID being used to identifying corresponding certificate user 190, and be used for corresponding certificate user 190 is distributed in the set 140 of certificate 145 and the shared key K that generates.

In step 620, will share key K and corresponding certificate user identification code ID sends to client computer system 170 via communication network infrastructures 180.In step 630, on the display 176 of client computer system 170, show and share key K and certificate user identification code ID.

In step 640, certificate user 190 is via keypad 340 typing PIN.When receiving PIN, key K and certificate user identification code ID are shared in 190 typings of kit 260 request certificate users.In step 650, certificate user 190 is shared key K and certificate user identification code ID via keypad 340 typings.Equally, if subscriber equipment 110 has speech recognition, then can these data of oral typing.Yet, will be understood that this is the lower input technology of a kind of fail safe, because the user may be eavesdropped when the oral account data.When receiving above-mentioned user's typing of enumerating, kit 260 will comprise the certificate user identification code ID in step 660 initial message (for example SMS message) sends to the cert services application software 450 on the server computer system 120.This authentication message has been enabled kit 260 to 450 indications of cert services application software.

With reference to Fig. 7, the memory 200 on the smart card 115 comprises PIN now, shares key K and certificate user identification code ID.

With reference to Fig. 8, when when server computer system 120 is received initial message, cert services application software 450 searches corresponding certificate user 190 by the certificate user identification code ID in step 810, and fetches the shared key K of signing and issuing for certificate user 190.Then, cert services application software 450 is represented (for example the TAN in the decimal system counting system tabulation) Generate Certificate set 140 of 145 according to nonbinary in step 820.In step 830, generate the binary representation of set 140 that has the certificate 145 of predefine maximum deviation level with respect to even distribution.In other words, the nonbinary of the set 140 of certificate 145 is represented convert to respect to even distribution and had predefine maximum deviation level and 0 and 1 the binary representation that distributes.In step 840, utilize shared key K to encrypt this binary representation that has predefine maximum deviation level with respect to even distribution.In step 850, the encryption of certificate 145 set 140 is sent to subscriber equipment 110 from server computer system 120 via first channel 150.

With reference to Fig. 9, in step 910, in the encryption set 140 of subscriber equipment 110 acceptance certificates 145.In step 920, the set of certificates of 260 pairs of encryptions of kit is decrypted.Kit 260 utilizes crypto engine 220, is decrypted by sharing the encryption set 140 of key K to certificate 145.Kit 360 is stored in the deciphering set 140 of certificate 145 in the memory 200 in step 930 then.Then finish initialization.With reference to Figure 10, memory 200 comprises the set 140 of shared key K, PIN, certificate user identification code ID and certificate 145 now.

Referring now to Figure 11, when certificate user 190 certificates of necessity 145 when for example carrying out bank transaction, certificate user 190 in step 1110 once more via keypad 340 typing PIN, thereby release kit 260.The certificate 145 from kit 260 is asked and read to certificate user 190 then in step 1120.Depend on certificate issuance side 130 employed certificate distribution system, certificate 145 can be next certificate in the set 140 of certificate 145, or specific certificate 145.Subscriber equipment 110 shows respective certificate 145 on display 330 in step 1140, and certificate user 190 can read this certificate 145 and use this certificate to come to conclude the business with certificate issuance side 130.In order to show the certificate 145 of nonbinary form to certificate user 190, the decoding unit of kit 260 or subscriber equipment 110 is remapped the binary representation of the set 140 of certificate 145 or convert back into nonbinary again and represents.In other words, kit 260 or decoding unit are decoded to the binary representation of the set 140 of certificate 145.The decoding unit of kit 260 or subscriber equipment 110 has corresponding decoding instrument or corresponding decoding engine.

That Figure 12 shows according to an embodiment of the invention is 120 that carry out by server computer system, the flow chart of the method for the set binary representation that is used to Generate Certificate.Figure 13 shows the corresponding example embodiment that set of certificates is represented.

When at server computer system 120 when subscriber equipment 110 is received initial message, cert services application software 450 searches corresponding certificate user 190 by the certificate user identification code ID in step 1210, and fetches the shared key K of signing and issuing for respective certificate user 190.

In step 1220, generate first expression of set certificate.Figure 13 shows the example of first expression 310.Set of certificates is the TAN tabulation.First expression 1310 of TAN tabulation comprises the individual TAN and the distribution of structured form.Individual TAN is orderly and has sequence number.As example, a TAN 8373 has sequence number 01.The structure acquisition first of this TAN tabulation is level at random.

In step 1230, first expression 1310 of TAN tabulation is transformed into second expression 1320 of TAN tabulation.In step 1230, remove the structured form and the distribution of TAN tabulation from first expression 1310.This is following realization: remove the sequence number of individual TAN and structuring and distribute, and arrange TAN one by one just and do not have intermediate space or structure.Second expression 1320 has and is higher than first second level at random of level at random.

In step 1240, second of set of certificates is represented that 1320 are transformed into the binary representation 1330 that has predefine maximum deviation level with respect to even distribution.

For step 1240, can use one of Binary Conversion described below or binary translation method.

In step 1250, encrypt the binary representation 1330 that has predefine maximum deviation level with respect to even distribution by shared key K.This obtains the set of certificates 1340 of encryption.

In step 1260, the set of certificates of encrypting is sent to subscriber equipment 110 from server computer system 120 via first channel 150.

Hereinafter be described more specifically generation has the set of certificates binary representation of predefine maximum deviation level with respect to even distribution step.

The set W that generally speaking, will comprise one or more word w (also being expressed as string w) that uses character list A structure by the set of certificates that first channel 150 transmits.Each word or string are corresponding to certificate.Character list A sets up certificate character list or certificate character set respectively.Certificate character list A is limited assemble of symbol, and it also is expressed as the certificate symbol.The certificate symbol can for example be character or numeral.Word w can connective word w to form message M, this message M is the sequence of the certificate symbol in the certificate character list A:

A={a1 ..., ak} has the certificate character list of k certificate symbol, k＞=1

W=s1|s2|...|sj is by connecting j the word that certificate symbol s constructs, and s is the element of A, j＞=1; Certificate represented in each word.

W=(w1 ..., the wq) set of q word, set of certificates is set up in q＞=1.

M=w1|...|wq comprises the message of n certificate symbol s, and s is the element of A, n=sum (q=1, q) j (wq)

Can message M be considered as symbol sebolic addressing, and it is considered as the number that radix is k, for example:

M′＝s1*k^0+s2*k^1+...+s(n-1)*k^(n-2)+s(n)*k^(n-1)

In order in encipherment scheme, to handle this message M and, need to convert thereof into binary representation for it 130 being sent to certificate user 190 from certificate issuance side via first channel 150:

M″＝b(1)*2^0+b(2)*2^1+...+b(r-1)*2^(r-2)+b(r)*2^(r-1)

Wherein b (i) is M " figure place i, and r is the bit length through transforming message, and:

R is the smallest natural number of r＞=ln2 (k^n).

Suppose that the certificate symbol s (i) among the M ' distributes equably.That is to say that the probability of occurrence of each the symbol a (i) among the certificate character list A is 1/k.

If certificate character list A is not 2 power, then the binary representation M of set of certificates " in the probability that occurs of symbol 0 and 1 be 50%, but only be at the highest preceding ln2 (k) position.

For following example, suppose: the bank as certificate issuance side 130 wants to give certificate user 190 with Transaction Identification Number (TAN) the tabulation delivery as list of cert.Suppose that in this example TAN has 6 decimal numbers and supposition TAN tabulation comprises 100 TAN.

Will 130 set of certificates that are distributed to certificate user 190 comprise 600 decimal numbers at random from certificate issuance side via first channel 150.Suppose that in addition shared key K is 12 a decimal number.

In order to assess the lsafety level of this example, suppose that the attacker eavesdrops communicating by letter via first channel 150 between certificate issuance side 130 and the certificate user 190.The attacker catches the encrypting messages that comprises encrypted certificate set (that is, encrypting the TAN tabulation).Now the attacker can move heavy attack and attempt all keys in the key space, and by selected test key the message of having encrypted is decrypted.By observing the structure of encrypting messages, the attacker can discern whether the message of being deciphered is possible TAN tabulation.If selected test key is not correct key, then the data in the message of being deciphered will be at random.The attacker may use it for the eliminating key.

According to one embodiment of present invention, the TAN tabulation is considered as 600 decimal numeral sequences.600 decimal numbers are divided into 200 groups of 3 decimal numbers.The unit that is used for Binary Conversion has been found in this 200 establishment.By using the binary representation that following coding or conversion plan generate the TAN tabulation:

By 10 binary representations (binary number) each value among 3 decimal numeral value 0-999 is encoded.Generally speaking, 10 binary coding schemes allow 2^10=1024 value encoded.Therefore, have some binary numbers (expression), it does not represent the TAN that has encoded.This has introduced some redundancies or structure in the binary representation of TAN tabulation.Yet, select in the following manner according to the encryption or the conversion plan of this execution mode of the present invention, that is, the binary representation of TAN tabulation comprises with respect to equally distributed predefine maximum deviation level.The binary representation of set of certificates depends on predefined lsafety level, the key length of sharing key K and predefined checking exploration number of times with respect to equally distributed predefine maximum deviation level.Number of times is soundd out in predefined checking, and to be certificate issuance side 130 stop using or close the exploration number of times that allows before the proper account of certificate user 190 at it.

Lsafety level that can following definite this example embodiment of the present invention.The TAN tabulation of encrypting is decrypted being equal to rolls has from 200 dices of these values of 0-(2^10-1).If all dices only provide the value from 0-999, then test key may be actual shared key.The possibility that single dice provides effective TAN value between 0 and 999 is: Pu=10^3/2^10=97.66%.Therefore, utilize test key to sound out the possibility that deciphering only provides effective TAN to the TAN tabulation of encrypting therefore to be:

Pl＝pu^100＝0.871％

This means that the attacker can get rid of 99.129% of all candidate's test keys among 10^12 possibility test key, thereby leave his 8,700,000 possibility keys for.To sound out number of times for example be 5 if certificate issuance side 130 is used for the predefine checking of the retry calculator of mistake TAN typing, then the attacker to hit the possibility of correct key be 5/8700000ths.This possibility is corresponding to the lsafety level of system 100.In this example, the binary representation that can sound out number of times by reducing the predefine checking, increase the key length of sharing key or reduce the TAN tabulation improves lsafety level with respect to equally distributed (maximum) variance level (promptly increasing the level at random of the binary representation of TAN tabulation).By changing these three parameters, certificate issuance side 130 can adjust the lsafety level with the predefine respective application.

According to another embodiment of the present invention, each individual certificate (being to comprise 6 decimal numeral each individual TAN in this example promptly) is transformed into 20 binary representation.Thereby, 600 decimal numbers are divided into 100 groups of 6 decimal numbers.The unit that is used for this routine Binary Conversion has been found in this 100 establishment.By using the binary representation that following encoding scheme generates the TAN tabulation:

Each TAN (10^6) is encoded into 20 bit binary data.

In other words, by 20 binary representation (binary number) each value among 6 decimal numeral value 0-999999 is encoded.Generally speaking, 20 binary coding schemes allow 2^20=1048576 value encoded.Therefore, have some binary numbers equally, it does not represent the TAN that encoded.This has introduced some redundancies or structure in the binary representation of TAN tabulation.

Lsafety level that can following definite this example embodiment of the present invention.The TAN tabulation of encrypting is decrypted being equal to rolls has from 100 dices of these values of 0-(2^20-1).If all dices all only provide the value from 0-999999, then test key may be that actual (weak) shares key.The possibility that single dice provides effective TAN value between 0 and 999999 is: Pu=10^6/2^20=95.37%.Therefore, utilize test key to the TAN that encrypted tabulation sound out the possibility that deciphering only provides effective TAN and therefore be:

Pl＝Pu^100＝0.871％

This means that the attacker can get rid of 99.13% of all candidate's test keys among 10^12 possibility test key, thereby leave his 8,700,000 possibility keys for.To sound out number of times for example be 5 if certificate issuance side is used for the predefine checking of the retry calculator of mistake TAN typing, then the attacker to hit the possibility of correct key be 5/8700000ths.This possibility is corresponding to the lsafety level of system 100.The binary representation that can sound out adopted number of times, increase the key length of weak key or pass through minimizing TAN tabulation by reducing predetermined authentication increases lsafety level with respect to equally distributed (maximum) variance level.By changing these three parameters, certificate issuance side 130 can adjust the lsafety level with the predefine respective application.

According to one embodiment of present invention, select lsafety level as follows, promptly heavy attack side hits the correct chance of key of sharing less than 1%.

According to one embodiment of present invention, select lsafety level as follows, promptly heavy attack side hits the correct chance of key of sharing less than 0.01%.

According to one embodiment of present invention, select lsafety level as follows, promptly heavy attack side hits the correct chance of key of sharing less than 0.00001%.

If one of these lsafety level or another lsafety level have been set, then can correspondingly select other parameter by said method, key length, the checking of promptly sharing key soundd out number of times and with respect to equally distributed maximum deviation level.

According to still another embodiment of the invention, the group of 2 individual certificates is transformed into (in this example promptly, for comprising 12 decimal numeral two individual TAN) 40 binary representation.Set up the upright unit that is used for Binary Conversion for these 50.Therefore by using the binary representation that following coding or conversion plan generate the TAN tabulation:

These unit encoding of two TAN (10^12) are become 40 bit binary data.

In other words, by 40 binary representation (binary number) each value among 12 decimal numeral value 0-999999999999 is encoded.Generally speaking, 40 binary coding schemes allow 2^40=1099511627776 value encoded.Therefore, have some binary numbers equally, it does not represent the TAN that encoded.This has introduced some redundancies or structure in the binary representation of TAN tabulation.

Lsafety level that can following definite this example embodiment of the present invention.The TAN tabulation of encrypting is decrypted being equal to rolls has from 50 dices of these values of 0-(2^40-1).If all dices only provide the value from 0-999999999999, then test key may be actual weak shared key.The possibility that single dice provides effective TAN value between 0 and 999999999999 is: Pu=10^12/2^40=90.95%.

Therefore, utilize test key that the possibility that deciphering only provides effective TAN is soundd out in the TAN tabulation of encrypting to be equally:

Pl＝Pu^50＝0.871％

This means among 10^12 possibility test key, leave his 8,700,000 possibility keys for thereby the attacker can get rid of 99.13% of all candidate's test keys.To sound out number of times for example be 5 if certificate issuance side is used for the predefine checking of the retry calculator of mistake TAN typing, then the attacker to hit the possibility of correct key be 5/8700000ths.This possibility is corresponding to the lsafety level of diploma system.

According to still another embodiment of the invention, provide a kind of encoding scheme that the additional messages space is provided for message M.According to this embodiment of the present invention, expand certificate character list A by a plurality of additional noise symbols.Noise symbol is following symbol, and they are not effective certificate symbols.The character list that expands is expressed as noise character Table A x.Noise character Table A x comprises the certificate symbol of certificate character list A and comprises a plurality of noise symbols.Preferably, select the number of a plurality of additional noise symbols as follows, promptly the total number of symbols in the noise symbol is 2 power.

In other words, create the noise character Table A x of expansion, wherein:

Ax={a1 ..., ak, ak+1 ..., akx}, wherein k＜(kx==2^x)＜2*k

Ak+1 ... akx is a noise symbol, and a1 ... .ak is the certificate symbol.

As example, in the TAN tabulation, only decimal number is considered as the valid certificate symbol.These decimal numbers are by noise symbol A, B, C, D, E and F expansion.

Gained noise character list comprises certificate symbol 0,1,2,3,4,5,6,7,8 and 9 and noise symbol A, B, C, D, E and F.The scale of noise character list is a 2^4=16 symbol.The advantage that the noise character list that provides scale to equate with 2 power has is that the binary representation of set of certificates comprises 0 and 1 even distribution.

Figure 14 illustrates the method for the binary representation that is used to generate the set of certificates that comprises noise symbol.

In step 1410, generate the set of certificates of the certificate symbol that comprises the predefine number.In this example, suppose that equally set of certificates is the TAN tabulation, this TAN tabulation comprises 600 decimal numbers as the certificate symbol.These 600 decimal numbers are represented 100 TAN.Step 1410 can be carried out by the random generator of certificate issuance side 130.The example output of step 1410 can be as follows:

147462.......，

The one TAN 147462 of TAN tabulation wherein only is shown and represents more 99 TAN with ellipsis.

In step 1420, generation comprises from a plurality of pseudo-certificate symbol of noise character list and the random message of noise symbol.The number of pseudo-certificate symbol is greater than or equal to certificate symbol predefine number.In this example, certificate symbol predefine number is the scale of TAN tabulation, promptly 600.Pseudo-certificate symbol is the decimal number 0,1,2,3,4,5,6,7,8 and 9 of certificate character list 0,1.Noise symbol is set up by symbol A, B, C, D, E and F.Random message can be by hexadecimal number maker generation at random.Random message is made of 960 hexadecimal numbers in this example.

The example output of step 1420 can seem as follows:

A35C9F1ADF86.......，

Preceding 12 symbols of random message wherein only are shown and represent more 948 symbols with ellipsis.Preceding 12 symbols of random message comprise 6 pseudo-certificate symbols (3,5,9,1,8,6) and 6 noise symbols (A, C, F, A, D, F).

In step 1430, the certificate of utility symbol is replaced the predefine set of the pseudo-certificate symbol of random message.For example the predefine set of pseudo-certificate symbol can be defined as preceding 600 the pseudo-certificate symbols in the random message.

In this example, the certificate symbol 1,4,7,4,6,2 of certificate of utility set is replaced 6 pseudo-certificate symbols 3,5,9,1,8,6.

This obtains following message:

A14C7F4ADF62......，

Preceding 12 symbols of message wherein equally only are shown and represent more 948 symbols with point.

In step 1440, generate the binary representation of this message by the hexadecimal code scheme.This has set up the binary representation that has the set of certificates of predefine maximum deviation level with respect to even distribution.This binary representation seems as follows:

1010?0001?0100?1100?0111?1111?0100?1010?1101?1111?01100010

The scale expense of can following this example of calculating comparing with the full binary conversion of TAN tabulation is as follows:

600 decimal numbers (10^600) can be coded in 1994.

Such scheme uses 960 hexadecimal numbers, and each all utilizes 4 to encode.This obtains 3940, and this is 193% of full binary conversion.

Lsafety level that can following definite this example embodiment of the present invention.The attacker only can get rid of the test key that obtains following decrypt, and these decrypt have and are less than 600 certificate symbols, promptly have 600 hexadecimal numbers that are less than of one of 0,1,2,3,4,5,6,7,8 and 9 these values.Possibility in this example is about 50%.This can be calculated as follows:

Message comprises 960 hexadecimal numbers.Suppose that each symbol in 10 certificate symbols (0,1,2,3,4,5,6,7,8 and 9) occurs with identical probability 1/16.Therefore, the average number of the certificate symbol in 960 hexadecimal numbers is 10/16*960=600.In other words, random message comprises that the probability that is less than 600 certificate symbols is about 50%.Additional messages scale with+93% is that cost reaches this probability.

Any disclosed embodiment can with other embodiment combination of that illustrates and/or describe or several.This one or more feature for embodiment also is possible.

The additional embodiment details

The technology of describing may be embodied as method, installs or relates to manufacturing a product of software, firmware, microcode, hardware and/or its any combination.Term " goods " refers to code or the logic of implementing in medium as used herein, and wherein such medium can comprise hardware logic [integrated circuit (IC) chip for example, programmable gate array (PGA), application-specific integrated circuit (ASIC) (ASIC) etc.] or computer-readable medium such as magnetic storage medium (hard drive for example, floppy disk, tape etc.), optics holder (CD-ROM, CD etc.), volatibility and non-volatile memory devices [Electrically Erasable Read Only Memory (EEPROM) for example, read-only memory (ROM), programmable read only memory (RPOM), random-access memory (ram), dynamic random access memory (DRAM), static RAM (SRAM), flash memory, firmware, FPGA (Field Programmable Gate Array) etc.].Code in computer-readable medium is by processor access and execution.Wherein the medium that code or logic are encoded also can comprise by space or the transmission signals propagated such as transmission mediums such as optical fiber, copper cash.The transmission signals of wherein code or logic being encoded can also comprise wireless signal, satellite transmits, radio wave, infrared signal, bluetooth etc.Wherein the transmission signals that code or logic are encoded can be sent and be received by receiving station by dispatching station, wherein can be in reception and dispatching station or equipment the code of encoding in transmission signals or logic is decoded and is stored in hardware or the computer-readable medium.In addition, " manufacture a product " and can comprise wherein the combination of the hardware and software parts that code is implemented, handled and carries out.Certainly, those skilled in the art will recognize that and to carry out many modifications and not break away from the scope of embodiment and manufacture a product to comprise any information bearing medium.For example, manufacturing a product comprises following storage medium, and this storage medium has the instruction that is stored in wherein, and these instructions realize operating when being carried out by machine.

The form that some embodiment can adopt is devices at full hardware embodiment, full software implementation example or had not only comprised hardware cell but also comprised the embodiment of the combination of software unit.In a preferred embodiment, use software implementation the present invention, this software includes but not limited to firmware, resident software, microcode etc.

In addition, the form that some embodiment can adopt for can from computer can with or the computer program that obtains of computer-readable medium, this medium is provided for the program code that used or combined with computer or any instruction execution system by computer or any instruction execution system.Purpose for this specification, computer can with or computer-readable medium can be any as lower device, this device can comprise, stores, passes on, propagates or transmit and be used for being used or the program of and instruction executive system, device or equipment combination by instruction execution system, device or equipment.This medium can be electronics, magnetic, optics, electromagnetism, infrared ray or semiconductor system (perhaps device or equipment) or propagation medium.The example of computer-readable medium comprises semiconductor or solid-state memory, tape, detachable computer disks, arbitrary access access (RAM), read-only memory (ROM), hard disc and CD.The existing example of CD comprises Compact Disc-Read Only Memory (CD-ROM), CD-read/write (CD-R/W) and DVD.

Word " some embodiment ", " embodiment ", " embodiment ", " a plurality of embodiment ", " being somebody's turn to do/a described embodiment ", " being somebody's turn to do/described a plurality of embodiment ", " one or more embodiment ", " some embodiment " and " a kind of embodiment " then mean one or more (but being not all) embodiment unless otherwise.Word " comprises ", " having " and various variant thereof then mean " including but not limited to " unless otherwise.Project enumerate table unless otherwise, otherwise and do not mean that any or all items repels mutually.Word " one/a kind of " and " should/described " otherwise mean " one/a kind of or a plurality of/multiple " unless otherwise.

Hu Tongxin equipment then need not to continue mutually communication unless otherwise mutually.In addition, the equipment of intercommunication can be by directly or by one or more intermediary communicating by letter indirectly mutually.In addition, intercom mutually to describe embodiment and do not mean that with several parts and need all such parts.On the contrary, various selectable unit (SU)s are described so that extensive various possibility embodiment to be described.

In addition, though can dispose such process, method and algorithm to come work according to describing process steps, method step and algorithm etc. in proper order successively according to alternate orders.In other words, any sequence of steps that can describe or order may not show that the requirement step carries out in proper order according to this.In addition, can be simultaneously, parallel or carry out some steps the same period.

When describing individual equipment or product here, will know and to use a plurality of equipment/products (no matter whether they cooperate) to replace individual equipment/product.Similarly, when describing a plurality of equipment or product (no matter whether they cooperate) here, will know and to use individual equipment/product to replace a plurality of equipment or product.The function of equipment and/or feature can replace by one or more miscellaneous equipment enforcement that is not described as having such function/feature clearly.Therefore, other embodiment need not to comprise equipment itself.

Computer program device in this article or computer program mean to as any expression of giving an order according to any language, code or symbolic representation, these instructions are used for directly or make the system's execution specific function with information processing capability after a) converting another language, code or symbolic representation to and/or reproducing with different material forms.

Claims

1. one kind is used for that (130) are distributed to the method for certificate user (190) from certificate issuance side with certificate (145) set (140), wherein said certificate user (190) has subscriber equipment (110), wherein, provide first channel (150) and second channel (160) to be used for communicating by letter between described subscriber equipment (110) and described certificate issuance side (130), described method comprises step:

-between described subscriber equipment (110) and described certificate issuance side (130), distribute shared key (K) by described second channel (160),

-generation has binary representation predefine maximum deviation level, described certificate (145) set (140) with respect to even distribution,

-encrypt the described binary representation of described certificate (145) set (140) by described shared key (K),

-via described first channel (150) certificate (145) of described encryption is gathered (140) to be distributed to described subscriber equipment (110) from described certificate issuance side (130),

-described subscriber equipment (110) is deciphered certificate (145) set (140) of described encryption by described shared key (K).

2. method according to claim 1, also comprise step: will offer described certificate issuance side (130) to verify from described certificate user (190) through the certificate (145) of deciphering, and wherein provide the described visa side of signing and issuing (130) to be used for only allowing the checking of predefine number of times to sound out.

3. according to claim 1 or 2 described methods, wherein the described binary representation to described certificate (145) set (140) depends on respect to equally distributed described predefine maximum deviation level: number of times is soundd out in the key length of predefine lsafety level, described shared key (K) and predefined checking.

4. according to the described method of arbitrary aforementioned claim, wherein said shared key (K) is a weak key.

5. according to the described method of arbitrary aforementioned claim, wherein said second channel (160) comprises human user interface (340,175).

6. according to the described method of arbitrary aforementioned claim, also comprise step:

-described subscriber equipment (110) generates and shows described shared key (K),

-described authenticated user (190) goes up the described shared key of manual entry (K) at another equipment (170),

-described shared key (K) is sent to described certificate issuance side (130) from described another equipment (170).

7. according to the described method of arbitrary aforementioned claim, also comprise step:

-described certificate issuance side (130) generates described shared key (K),

-described shared key (K) is sent to described another equipment (170) from described certificate issuance side (130),

-described another equipment (170) shows described shared key (K),

-described certificate user (190) is gone up the described shared key of manual entry (K) at described subscriber equipment (110).

8. according to the described method of arbitrary aforementioned claim, wherein said certificate (145) comprises the certificate symbol of predefine number, and the described certificate symbol element that is the certificate character list.

9. method according to claim 8, the scale of wherein said certificate character list is chosen as 2 power.

10. according to the described method of arbitrary aforementioned claim, also comprise step: add noise symbol to described certificate (145) set (140).

11. method according to claim 10, wherein said noise symbol are taken from the noise character list that comprises certificate symbol and one or more noise symbol, the scale of wherein said noise character list is chosen as 2 power.

12. method according to claim 11 also comprises step:

-generation comprises certificate (145) set (140) of the certificate symbol of predefine number,

-generating random message, it comprises pseudo-certificate symbol and the noise symbol that is taken from described noise character list, and the number of wherein said pseudo-certificate symbol is greater than or equal to the described predefine number of the certificate symbol of described certificate (145) set (140),

-in described random message, the predefine of described pseudo-certificate symbol is gathered the described certificate symbol that replaces with described certificate (145) set (140),

-generate the binary representation of described random message, set up thus with respect to even distribution and have binary representation described predefine maximum deviation level, described certificate (145) set (140).

13., wherein generate and have described binary representation described predefine maximum deviation level, described certificate (145) set (140) with respect to even distribution and comprise substep according to the described method of arbitrary aforementioned claim:

-generation has first level, described certificate (145) set (140) at random first expression,

-described first expression be transformed into have second level, described certificate (145) set (140) at random second expression, wherein said second at random level be higher than described first level at random,

-described second expression of described certificate (145) set (140) is transformed into the described binary representation that has described predefine maximum deviation level with respect to being evenly distributed.

14. according to the described method of arbitrary aforementioned claim, wherein said certificate (145) set (140) is divided into the unit that is used for Binary Conversion, wherein select the described unit that is used for Binary Conversion as follows, that is, do not represent the ratio of binary representation of certificate symbol less than the predefine ratio.

15. according to the described method of arbitrary aforementioned claim, wherein said certificate (145) set (140) is divided into the unit that is used for Binary Conversion, each unit comprises two or more certificate symbols.

16. according to the described method of arbitrary aforementioned claim, wherein said first channel (150) is non-trust channel, and described second channel (160) is trusted channel.

17. according to the described method of arbitrary aforementioned claim, wherein said certificate (145) is disposable authentication code.

18. according to the described method of arbitrary aforementioned claim, wherein said first channel (150) is a radio communication channel, and described second channel (160) comprises one of secure internet connection, telephone wire and mail service.

19. according to the described method of arbitrary aforementioned claim, wherein said subscriber equipment (110) comprises one of mobile phone and personal digital assistant.

20. one kind is used for that (130) are distributed to the method for certificate user (160) from certificate issuance side with certificate (145) set (140), wherein said certificate user (190) has subscriber equipment (110), wherein, provide first channel (150) and second channel (160) to be used for communicating by letter between described subscriber equipment (110) and described certificate issuance side (130), wherein said method comprises step in certificate server (120):

-generate and share key (K) and described shared key (K) is distributed to described subscriber equipment (110), perhaps receive from described subscriber equipment (110) and share key via described second channel (160),

-via described first channel (150) certificate (145) of described encryption is gathered (140) to be distributed to described subscriber equipment (110).

21. a calculation procedure that comprises instruction, described instruction are used for realizing the step of method according to claim 20 when described computer program is carried out on computer system.

22. method that is used for subscriber equipment (110) from certificate server (120) acceptance certificate (145) set (140), wherein, provide first channel (150) and second channel (160) to be used for communicating by letter between described subscriber equipment (110) and the described certificate server (120), wherein said method comprises step in described subscriber equipment (110):

-generate and share key (K) and described shared key (K) is distributed to described certificate server (120), perhaps receive from described certificate server (120) and share key (K) via described second channel (160),

-reception has binary representation predefine maximum deviation level, described certificate (145) set (140) with respect to even distribution, and the described binary representation of wherein said certificate (145) set (140) is encrypted by described shared key (K),

-decipher certificate (145) set (140) of described encryption by described shared key (K),

Certificate (145) set (140) of the described deciphering of-storage.

23. a calculation procedure that comprises instruction, described instruction are used for realizing the step of method according to claim 22 when described computer program is carried out on computer system.

24. one kind is used for that (130) send to the method for certificate user (190) safely from certificate issuance side with certificate (145) set (140) via non-trust channel (150), described method comprises step:

-encrypt the described binary representation of described certificate (145) set (140) by sharing key (K),

-via described non-trust channel (150) certificate (145) of described encryption is gathered (140) to send to described certificate user (190) from described certificate issuance side (130).

25. a calculation procedure that comprises instruction, described instruction are used for realizing the step of method according to claim 24 when described computer program is carried out on computer system.

26. one kind is used for that (130) are distributed to the system (100) of certificate user (190) from certificate issuance side with certificate (145) set (140), wherein said certificate user (190) has subscriber equipment (110), wherein, provide first channel (150) and second channel (160) to be used for communicating by letter between described subscriber equipment (110) and described certificate issuance side (130), provide described system (100) to be used for:

-encrypt the described binary representation of described certificate (145) being gathered (140) by described shared key (K),

27. certificate server (120) that is used for certificate (145) set (140) is distributed to certificate user (190), wherein said certificate user (190) has subscriber equipment (110), wherein, provide first channel (150) and second channel (160) to be used for communicating by letter between described subscriber equipment (110) and the described certificate server (120), provide described certificate server (120) to be used for:

-generate and share key (K) and described shared key (K) is distributed to described subscriber equipment (110), perhaps receive from described subscriber equipment (110) and share key (K) via described second channel (160),

-via described first channel (160) certificate (145) of described encryption is gathered (140) to be distributed to described subscriber equipment (110) from described certificate issuance side (130).

28. one kind is provided for from the subscriber equipment (110) of certificate server (120) acceptance certificate (145) set (140), wherein, provide first channel (150) and second channel (160) to be used for communicating by letter between described subscriber equipment (110) and the described certificate server (120), provide described subscriber equipment (110) to be used for:

Certificate (145) set (140) of the described deciphering of-storage.